>Number: 31417
>Category: pkg
>Synopsis: x11/gdm logs username for failed login attempts
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Sep 29 13:51:00 +0000 2005
>Originator: Hauke Fath <hf@spg.tu-darmstadt.de>
>Release: NetBSD 3.0_BETA
>Organization:
--
/~\ The ASCII Ribbon Campaign Hauke Fath
\ / No HTML/RTF in email Institut für Nachrichtentechnik
X No Word docs in email TU Darmstadt
/ \ Respect for open standards Ruf +49-6151-16-3281
>Environment:
System: NetBSD Goliberg 3.0_BETA NetBSD 3.0_BETA (SPG_PIII) #5: Fri Sep 23 00:43:45 CEST 2005 hf@heiligenberg:/var/obj/netbsd-builds/3_0/i386/sys/arch/i386/compile/SPG_PIII i386
Architecture: i386
Machine: i386
>Description:
When x11/gdm logs a failed login attempt, it logs the username
with it. This is a security risk (which is why I marked the PR
'critical') since if the user just got out of sync with the
login wifget, she'll have her password logged. And she has to
get help from the admin to remove it - if she is aware of the
fact at all.
But it gets worse: gdm syslogs _everything_ with category
LOG_DAEMON which goes to the usually world-readable
/var/log/messages.
>How-To-Repeat:
Get out of sync with the gdm greeter; find your password
logged to /var/log/messages and the console.
Look through the config files and the gdm documentation and
find that at runtime you can neither change the syslog
category, nor change the amount of data that's being loggend
(which is quite considerable), nor disable logging of failed
login attempts.
Look through the source and find that at compile time, you can
neither gnuconfigure a different syslog category, nor limit
the amount of logged information, nor disable logging of
failed login attempts.
>Fix:
Stop-gap:
Switch back to xdm.
gdm fixes:
(1) Make syslog category configurable _at least_ at compile
time. Better: Use log_auth for any sensitive data, and a
configurable category for anything else, including debug
information, which can then be directed to a gdm-only logfile.
(2) Make the amount of information logged controllable at
least at compile time. Per default, log less to console.
(3) Introduce a config-file switch to control logging of
failed login attempts. Default to _off_.
>Unformatted: